April 2026 Releases

If more than 250 remap rules were created, they caused up to 1000 post variables to be sent on save. This volume of post variables exceeded PHP’s max post vars limit of 1000.

Rule posting has been refactored to fix this limitation through pagination, which means remap rules can now be saved in the remap manager.

When Matrix was migrated from version 5.5 to version 6, Bootstrap and the Reset CSS framework were used to build the user interface.

In the WYSIWYG backend, the interface table caption is rendered below the table.

A CSS style fix was added to move the table caption to its original position before the WYSIWYG table.

Now Content Editors see the table caption before the WYSIWYG table in the backend.

A deprecation flag has been added to prefer the restricted (non-data) paths to start the transition away from generally using data for files.

Files have historically preferred the unrestricted (__data) paths due to performance concerns that are no longer relevant. This preference causes confusion and extra load as statuses change and files move in and out of __data.

In the template builder UI, the resource browser ensures that only valid Content Page assets can be chosen as the reference page for template preview. These same restrictions were also needed for the Asset Management API so that users did not end up with an invalid reference page.

API users now receive a 400 Bad Request response if they have provided an invalid value for the referencePage in the body of their POST/PATCH request for a Content Template asset.

For status transitions of content template assets, the sync with the template service occurred before the asset status succeeded or failed to change to an updated status.

There were a few edge cases where the template service "publishes" the template, even when the template failed to go from Under Construction → Live. This false publishing event resulted in a broken Content screen for the asset, leaving it in an uneditable state.

The fix changes the code execution order so that the template service sync only runs after the asset has successfully changed status. Template service records now always remain in sync with the Content Management status, which prevents the asset from entering a broken state.

When connecting through a WebDAV client, collections from specific tenants were missing.

The connection logic has been updated to iterate through all assigned custom roles when a client connects. The system now correctly identifies and shows all collections a user is authorized to access, regardless of whether the role is primary or tenant-customized.

Users now see a comprehensive list of available clients and resources upon sign in.

Users assigned a custom role with the "Create Role" permission were unable to create roles. A lack of access to Role Suffixes caused the failure.

Previously, only Squiz DXP owners had the necessary oversight to manage these suffixes, blocking delegated administration. The system now properly supports delegated role creation through three key updates:

In Search, the "Description" field for Resource or Owner-Resource roles is used to fill in the client-switching dropdown. However, because the field was labeled "Description" across all role types, users were often unaware that this text can be visible in the public-facing UI.

To improve clarity, the label for this field has been changed to Display Name when managing Resource or Owner-Resource roles. For all other roles, the label remains Description to reflect its internal-only use. Administrators now understand exactly where the text will appear before saving changes.

The export option was either missing or broken on the Accessibility Auditor and Search analytics pages after upgrading to the Angular 16 version.

The export option is available on all pages under Accessibility Auditor and Search Analytics.

Previously, if a Scheduled Task encountered an error reading a Collection or found a configuration error within a Collection, the entire "Scheduled Tasks" list may fail to load, displaying only a generic "Error" message at the top of the page.

The interface now handles these errors gracefully. The list loads successfully, and any task with a problematic Collection will be marked in red with the specific status "Collection configuration error."

Administrators can now identify and fix specific issues without losing access to the rest of the task list.

When Custom Roles were implemented, the Resource and Owner-Resource roles were set to read-only. This role lock inadvertently prevented further modifications to the "Description" field (used for the client dropdown).

Users were unable to correct or update confusing or auto-generated instance names that appeared in the Search client dropdown, as the underlying field was no longer editable.

The system has been updated to reinstate edit permissions for this specific field. Additionally, synchronization logic was added to ensure the Display Name is copied between Resource and Owner-Resource roles when Custom Roles are toggled.

The field is now editable on the Resource role (for standard instances) and the Owner-Resource role (for custom role instances). Administrators can now manage client dropdown entries at any time, regardless of the role configuration.

The PDFBox library (version 2.0.26 and earlier) contained bugs that caused the crawler to stop responding indefinitely when parsing specific PDF documents. Furthermore, complex accessibility checks often lacked independent execution limits, risking overall crawl stability.

Previously, certain unhandled exceptions could reveal internal directory structures or database queries in the browser. To prevent potential information disclosure, exception states were reviewed to ensure that detailed stack traces and technical error messages are not exposed to end users.

All sensitive technical information and verbose debugging data are now suppressed from responses and redirected to internal logs only. Custom error pages have been configured across the environment to present generic, user-friendly messages.

When attempting to upload the configuration file “test.ctest” through the Search Configuration Files screen, the system would trigger an error message and block the upload. This error was due to an overly restrictive allow-list in the file validation service.

The file validation logic has been updated to permit these files.

Add support for the HTML (H) display mode, plus these options:

In prefix mode, the query is no longer split into individual terms by spaces.

The whole query (minus wildcards) is now passed as a single term to the suggestion API, which changes how suggestions are returned.

For example, "This is a test query ca" now gets suggestions for the full phrase rather than just the last word "ca".

Previously, events were triggered during the index phase. This timing could lead to premature notifications before the data was actually live and available to users via a view swap or successful commit.

The event triggering logic has been moved to the final stage of the indexing lifecycle. Events are now triggered as a post-swap or post-commit step, ensuring that downstream processes or notifications only occur once the search index is fully updated and live.

Specifically, events are now sent after a successful view swap for non-push data sources and after a commit for push data sources. Additionally, a new event is triggered upon the stop of a non-push data source update.

When clicking on a facet that contained certain characters, no results were displayed because of the way Padre was indexing the + symbol.

The fix ensures search results are displayed correctly when a facet containing a + character is selected. Generated facets are now correctly escaped when they contain the + symbol.

Fixed incorrect timestamp in the error notification.

Operators could not see full error detail on the thread error view.

Fixed error details not being available on the Thread Error page.

History navigation on the Flow page was stuck after a single Back action.

Fixed the browser Back button only working once and blocking further history navigation on the Flow page.

Alerts and copy did not match non-80% thresholds or distinguish message count from CPU/MEM.

Fixed quota exhaustion notification templates for non-80% thresholds and clarified message-count vs. CPU/MEM wording.

Unlimited contracts displayed an incorrect negative value in the diagram.

Fixed Memory Usage History showing -1.024 KB for contracts with unlimited quota.

Month rollover did not clear usage for idle workspaces or contracts.

Fixed message-count monthly usage not resetting for workspaces and contracts without active flows at the beginning of the month.

Fixed the "Something is technically wrong" page on Contract Quota Usages when usage was not found for per_contract_container_count_limit and per_contract_message_count_limit.

Navigation in Developer Team could throw a component lookup error.

Fixed Component not found when clicking Back in the Developer Team section.

Manual typing in several editors reset caret position incorrectly.

Fixed cursor jumping to the first position when typing into input fields for mapping, sample, config, and retry.

Users could activate recipes without filling required variables.

Fixed missing required validation for variable fields on the recipe activation page (frontend validation added).

Rapid REST API config changes could crash the platform UI.

Fixed platform UI crashes when switching between REST API configurations.

Auth actions stayed enabled when required secrets were empty.

Fixed Verify and Save remaining active for Basic Auth or API Key Auth types without required credentials filled in.

Initial component release which adds this feature:

Initial component release which adds these features:

Removed unnecessary dependencies.

Fixed certificate error in "Subscribe to platform events" trigger.

Fixed ClassCastException in MessageResolverImpl when message body was a JSON array; graceful handling for missing or null message bodies

General improvements to syntax error highlighting in JSONata mode which improve editor feedback when authoring JSONata expressions.

The CMS session cookie has historically been served without the SameSite attribute set. To provide additional protection against potential cross-site request forgery (CSRF) attacks, the attribute can now be adjusted in the System Configuration  Sign-in/session settings.

An option has been added under Sign-in/session settings called Set 'SameSite' flag for session cookies. Users can change this option with the Root User privilege.

The option can be set to these values:

Unencoded spaces were not being correctly handled in URLs and in remap rules.

URLs containing spaces in remaps on an Asset can cause the remap rule to break.

Remap rules now correctly handle the space character by encoding it as %20 when saving and decoding it when retrieving.

Remap rules with spaces inside (for example, http://some-site/some page) now correctly map to the desired remap URL.

When public permission was granted, this would often appear as "Restricted Asset" rather than a name indicating the special nature of the Public Access User.

Asset name display rules were updated to have a special case for the Public User asset in the administration interface.

This rule change will make it clearer that this special form of access has been granted for users who do not have write permissions to the Public User asset.

In some situations, inserting asset linking tree rows can cause a duplicate key / unique constraint violation after an incomplete tree cleanup. Separately, when Allow trashing without lock was enabled, creating the trash folder link could still be subject to locking at the run level and lock acquisition that contradicted that setting.

Operations could fail with "Unable to insert child tree entries…​" instead of allowing a controlled recovery path, and delete-to-trash could still fail or require locks that the configuration was meant to avoid.

These system settings are now available:

Opening the edit panel for a block in unused content can add parameter values to the _unusedActiveBlock URL parameter, but does not affect the page.

The _unusedActiveBlock is no longer populated in the URL when the edit panel is opened for a block in unused content.

Security improvements address dependency vulnerabilities.

Read the April 2026 new features to learn more.

Read the April 2026 new features to learn more.

Read the April 2026 new features to learn more.

Read the April 2026 new features to learn more.

Separate reporting for message quota at contract and workspace level is now available for contract message usage.

After the first failed 2FA attempt, the system clears all code fields and returns focus to the first field to reduce accidental lockouts and redundant requests after a failed two-factor attempt.

The platform displays jsonataMap under the component/step on the execution page so that mapping configuration is visible in the execution context.

Flow creators now receive error notifications after common flow lifecycle actions, including:

The flow creator is automatically subscribed to the flow’s errors after these actions.

Read the April 2026 new features to learn more.